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DOMAIN MAPPING METHOD AND SYSTEM packets and shut down certain tasks in an unpredictable 

fashion once the system depletes its memory or processor 

CROSS-REFERENCE TO RELATED resources. As the size of a network grows, such a failure 

APPLICATIONS becomes more likely, as the greater the number of conncc- 

™. . i.j.iTo I-.- o 5 tions onto the network requires a greater number of lookups 

This application is related to U.S. patent application Ser. „^ • r j l *u j * 

NT nnn^nAiA- a tic . *o ^ -,r.i compansons performed by the- Security product. 

No. 09/222,414 issued as U.S. patent Ser. No. 6,301,668 on a^j-.- ii • • L j i r .t. 

. n ^r^L J UK* J J o . ^,-^^^^,^"0 Additionally, an increase in number and complexity of the 

Oct. 9, 2001, entided "Method and System for Adaptive • *u •* j * • - a. a\ . 

* 1 c •* rr • Kf * 1 1 types of misuse the sccunty product IS required to detect can 

Network Security Using Network Vulnerability wh*^.. a^^^a^ «*rf^«v.,™ a„ ™™„^^ •« a™ 

A ill J A ir^no J .1 1- rurttier degrade performance. An increase in traffic flow 

Assessment , filed Dec. 29, 1998, and presently pending .^a*uj' •* j** i 

, / 1- c XT nn/ooimi j further drains a secunty product's rcsourccs. For cxamplc, 

^V.f application Ser. No^ 09/223 071 entitled .^^^.^^^^^ systems cannot operate effectively at high 

Me hod and System for Adaptive Network Secunty Using ^^^^^^^ bandwidth utilization. 

Intelligent Packet AnalysLs", filed Dec. 29, 1998. _ . , 

Some conventional systems have attempted to achieve 

TECHNICAL FIELD OF THE INVENTION performance gains by decreasing the number of misuse 

15 signatures the security product monitors. Fewer signatures 

The present invention relates in general to computer translate into fewer memory comparisons for each packet 

networks and, more particularly, to a method and system for that flows through the security product However, such a 

domain mapping of a network. solution makes a network more vulnerable to attacks. 

r>Ar>irr^DrMTKTT> r^c -rue iKT^/trKTT^r^KT Other conventional systems rely on the user to enumerate 
BACKGROUND OF THE INVENTION 20 the network information, such as the types of operating 

Network security products such as intrusion detection systems and applications running on the protected network, 

systems (ID systems) and firewalls can use a passive filter- These systems then disable certain misuse signatures 

ing technique to detect policy violations and patterns of accordingly. 

misuse upon networks to which the Security products are Such a conventional solution, however, introduces its own 

coupled. The passive filtering technique usually comprises problems. For example, if the user provides an inaccurate 

monitoring traffic upon the network for packets of data. A assessment of the network, then incorrect signatures may be 

signature analysis or pattern matching algorithm is used disabled, meaning that undetected policy violations and 

upon the packets, wherein the packets are compared to network attacks are possible. Additionally, networks are 

"attacksignalures", or signatures of known policy violations rarely stable environments and the addition or deletion of 

or patterns of misuse. devices or services can make the original network informa- 

In order to properly detect policy violations and patterns tio" supplied by the user inaccurate, 
of misuse, security products often must place the packets of A further disadvantage of such conventional security 
data in contexts relevant to such connection criteria as space, products is that they are not designed to function in an 
time, and event. Space is usually defined in terms of a environment wherein the traffic exceeds their memory or 
source-destination connection at the port level. Time is processor capacity. Such conventional systems, when con- 
defined as the amount of time to continue associating fronted with traffic that exceeds their capacity, may start 
packets for the type of connection defined by the source- dropping packets and degrade performance in an unpredict- 
destination connection. Event is defined as a type of able fashion. This can lead to an unknown security posture 
connection, which in turn defines the types of policy and or profile, which can leave a network more vulnerable to 
misuse signatures that can occur with each packet. As the undetected attacks. 

size of a network expands, there are greater numbers of ci mviN>i a dv i-iu ™i: TNu/cKmnM 

connections which leads to greater numbers of lookups and SUMMARY OF THE INVENTION 

comparisons that must be performed by the Security prod- Therefore, a need has arisen for a method and system that 

uct, provides a centralized domain mapping of network device 

Two problems are associated with conventional security information with minimized acquisition overhead and rapid 

products. First, conventional security products have insuf- availability to queries from network devices, including 

ficient information to. self-configure for reliable detection of network security devices. 

policy violations and patterns of misuse. For example, A further need exists for a method and system that 
conventional security products have no mechanism to reli- 50 provides a centralized domain mapping of network device 

ably ascertain network information of the network to which information available for querying by network devices 

the security product is coupled. This leads to such disad- regardless of the capability of the querying network devices 

vantages such as being unable to accurately predict the effect to independently acquire network device information, 

of a particular packet upon a destination device. In accordance with the present invention, a domain map- 
Furthermore, a conventional security product has no mecha- 55 ping method and system is disclosed that provides signifi- 

nism to ascertain the network topology and thus cannot cant advantages over conventional methods and systems for 

predict if a certain packet will reach its intended destination. providing network device information for use by network 

Such a lack of network information compromises the secu- devices, such as network security devices. A domain raap- 

rity product's ability to detect such attacks such as insertion ping device interfaces with plural network devices tbrough 
attacks, evasion attacks and denial of service attacks. Some go the network to receive and store network information from 

of these problems with conventional security products are one or more of the network devices, and to provide the 

documented by Ptacek and Newsham, Insertion, Evasion, network information to one or more network devices upon 

and Denial of Service: Eluding Network Intrusion receiving a query. 

Detection, Secure Networks Incorporated, January 1998. . More specifically, the domain mapping device includes an 
A second problem associated with conventional security 65 acquisition engine for acquiring the network information, a 

products is the result of scarcity of processor and memory hypercube storage for storing the network information, and 

resources. Conventional security products may begin to drop a query engine for responding to queries from network 
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devices for the network information. The acquisition engine 
can acquire network information through active capture, 
passive capture, polling, or, in cooperation with a network 
device, through pushing of the network information from the 
network device. The hypercube storage provides a 
dimensional, highly indexed data store with a compact 
footprint and superior update and query performance char- 
acteristics. The query engine supports network device que- 
ries of network information, including device type, services, 
operating system and vulnerability data. 

One technical advantage of the present invention is that it 
provides a centralized source of network information that 
reduces data acquisition overhead and the time needed to 
obtain network information from network devices. The 
reduced overhead and time associated with obtaining net- 
work information, in turn, supports a more scalable adaptive 
network security solution. 

Another technical advantage of the present invention is 
that the centralized storage of network information supports 
access by network devices to all types of network informa- 
tion independent of the network devices* capability to 
acquire such data. For instance, network devices that include 
only passive data sampling capabilities could query the 
domain mapping device to obtain data available only 
through active scans. Further, network devices that lack data 
acquisition capabilities can obtain otherwise unavailable 
network information from the domain mapping device. 

It is a further technical advantage of the present invention 
that it allows devices coupled to the network auto-configure 
based upon the network information. 

It is an additional technical advantage of the present 
invention that it allows devices to adapt configurations 
according to a changing network environment, as reflected 
in changing network information. 

It is another technical advantage that the present invention 
reduces network overhead associated with network infor- 
mation acquisition because it represents a centralized 
depository of the network information. 

BRIEF DESCRIPTION OF THE DRAWINGS 

A more complete understanding of the present invention 
and advantages thereof may be acquired by referring to the 
following description taken in conjunction with the accom- 
panying drawings, in which like reference nuqjbers indicate 
like features, and wherein: 

FIG. 1 is a flow diagram of various embodiments of a 
method of operation of a system for adaptive network 
security; 

FIG. 2 is a block diagram depicting a network domain 
with network devices and their associated operating 
systems, services and potential vulnerabilities; 

FIG. 3 is a block diagram depicting a network domain that 
includes a domain mapping device; and 

FIG. 4 is a flowchart illustrating a method for mapping a 
network domain. 

DETAILED DESCRIPTION OF THE 
INVENTION 

FIG. I is a flow diagram of various embodiments of a 
method of operation of a system for adaptive network 
security. An ID System is one such security system that 
could benefit from the adaptive network security system of 
the present invention. 

In the method of FIG. 1, network information is acquired 
at step 1. Network information can comprise, for example, 
the devices, operating systems, and services available on a 
network. 
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In the embodiments of FIG. 1, such network information 
can be gathered by an active process 2, a passive process 4, 
or a query process 3. Active process 2 can include port scans, 
pinging, and other active methods performed on devices 

5 coupled to the network, as well as monitoring responses 
(such as banners) sent in response to such active methods. 
One such active process is described in the related U.S. 
patent application Scr. No. 09/222,414 entitled "Method and 
System for Adaptive Network Security Using Network 

10 Vulnerability Assessment", filed Dec. 29, 1998 now U.S. 
Pat. No. 6,301,668. A second alternative to acquire network 
information is passive process 4. Passive process 4 allows a 
security device using the present invention to acquire net- 
work information without placing additional trafiBc on the 

15 network. One such passive process is an intelligent packet 
analysis. A method and system for adaptive network security 
using intelligent packet analysis is described more fiifly 
below in the related U.S. patent application Ser. No. 09/223, 
071 entitled "Method and System for Adaptive Network 

20 Security Using Intelligent Packet Analysis", filed Dec. 29, 
1998. 

The third process for obtaining network information, 
query process 3, can comprise sending a query to a domain 
mapping service, wherein the domain mapping service 

25 maintains a compilation of network information. Such a 
domain mapping service is the subject of the present inven- 
tion. Such a domain mapping service can respond to such a 
request by sending the network information to a source of 
the request. Such a query system is referenced in the patents 

30 listed above, and the domain mapping system is explained 
more fully below. 
^-o-Oncc nptworl^iiaformatioD^is acquire 
5isperformed~Fotexa5^1e7a:net:work 
toTcdmpilccthcoietworkinformationrAtstepJ, a.priorityj^^^ 
ff- perfo rmed-Usiag-lh c-anal yas:;gHhe:netwo7rir^ 
at:stcp::£Fo^exam£leran^ 

^n-confi|S^itseltto"peif6{^ ased 
^uponrpotentiiJ^vu^ierabiUties^ 
^ cby:lhe-an alysi&- at-step^5. 

^The:peH'oimaance-of-steps-l~5,Tandl7lcan;^^ 
/mye-devices coup kd'to a netw orkrFor-example^-proccsses 
perfomingliuchltasks-could-be^^t^it^ 
devices^nzP.rder^oCTin^serve— process 
^teimtiv^lyythe-prbcesscs- perform m 
intepatea"intoXsingle^evice,-such-as aTTlD^ 
'^rlfircwallT? 

Security devices protect network devices associated with 
a predetermined domain of the network from unauthorized 

50 or malicious use. In order to provide the most broad possible 
protection, security devices need access to information 
about the network devices associated with the network 
domain being protected. However, the topology of a typical 
network domain changes rapidly as network devices are 

55 interfaced or brought online to the network domain. The 
domain mapping method and system of the present inven- 
tion provides reliable information about network devices 
associated with the domain so that security devices can 
provide the broadest possible protection against unautho- 

gQ rized or malicious use of the network devices. Further, the 
domain mapping method and system supports storage of 
domain mapping information to reduce overhead associated 
with acquiring and using the domain mapping information. 
The stored domain mapping information is available for use 

65 by network security devices. 

Referring now to FIG. 2, a block diagram depicts a typical 
network topology. Internet 10 interfaces with network 
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domain 12 having plural network devices, A router 14 in FIG. 2, network vulnerabilities assessment device 44 can 

accepts network traffic from Internet 10 and provides the be placed in various configurations, such as behind firewall 

nctwGck4raffic-to a firewall 16. Fi^wall=16-is=a^netwoYk 16» between firewall 16 and router 14, and in front of router 

securiij^evicejhat'moriitors-network 14. 

communicationiof^^^ 5 Another method for acquiring network information is 

^s ^n^etecti on-system'lS^alsQ-monitors-'netwoTk-traffic to passive capture. Acquisition engine 48 performs passive 

dfetect-attack-sipatures:::associatedl^^ capture by monitoring network traffic and analyzing the 

malicious'Use-oLnetwork -devices^ Intrusion detection sys- network traffic to determine the network information of 

tem 18 is shown as placed between firewalL16-ajxd.router 14. network devices. For instance, by monitoring data packets 

HoweverHHose':^illed=iiM sent to file server 34, acquisition engine 48 can determine 

detectiQn:systemri8-can-alternatively^be-p^sitioBed:behind the operating system and services provided, such as a Solaris 

fife\^^il^~or-betw^enIroi^^ operating system that performs FTP transfers. Once the 

poSfej^tfainzanotficFdcj a^^ rk- operating system and services are known, acquisition engine 

station"32. 48 can determine known vulnerabilities associated with the 

FIG^^inclirder^aeyiceEtype;rows:20,'which':de^^^ 15 operating system and services. Passive capture of network 

plaFy-devicc^ types-asso ciated„with„netwock domain-U ;? infonmation reduces network overhead. U.S. patent applica- 

Q^eFatingTsystemlo^^ tion Ser. No. 09/223,071, entitled "Method and System for 

<^iScrabiliticTrows:26rdepict:thc:opcra Adaptive Network Security Using Intelligent Packet 

and^potehtiai^ln^efaKilities^^ Analysis," discloses passive capture techniques in greater 

dmcejyge^i^^ 14 20 incorporated herein by reference. 

usc^operating:system~IO$~li3la5d!provideslt^^ Two additional techniques for acquiring network infor- 

^irTand'TFIY^serySsT^Potcmial^lffera^ mation are polling of network devices and pushing network 

^with-router^r4aiicludei^ information from network devices to acquisition engine 48. 

(^dlseridi p.orts-open-vuhe rabilities-Qtherrde^^ Polling is performed by sending a series of queries (such as 

faced:with:iietworicdgmai ^ 25 ^^MP) ^° ^^e network devices to determine their response. 

C:stations:32;:3.63.8iandi40~a5re-se rver 34^ Pushed data is enabled by using push technology to send 

CEach^Gf~these^etwotkldevices~can-use_the_ associated data from the network devices to acquisition engine 48 for 

QopeFatingrsystemiofioperatingisystera^^ analysis. The polling and push data acquisition techniques 

'^ He3ec \jces~of'services~rows"24~Potentid^vmlner can take advantage of capabilities for certain network 

^ws2^denti^:potential~ vulnerabilitiesj ^ggted;^ devices to collect their own data. 

^t\vp^rkidevices. Once network information is acquired, it is stored in 
Referring now to FIG. 3, a block diagram depicts a hypercube storage 50 of domain mapping device 46. Net- 
domain mapping device 46 interfaced with network 12. work information is inherently dimensional, lending itself to 
Domain mapping device 46 resides behind firewall 16. the hypercube storage techniques described in U.S. patent 
Domain mapping device 46 includes an acquisition engine 35 application Ser. No. 09/107,790, entitled "System and 
48, hypercube storage 50 and a query engine 52. Domain Method for Real-Time Insertion of Data Into a Multi- 
mapping device 46 supports acquisition of network infor- Dimensional Database for Network Intrusion Detection and 
mation for the network devices of network 12, storage of the Vulnerability Assessment," which is incorporated herein by 
network information and a query interface to allow network reference. Although other embodiments of domain mapping 
devices to query stored network information from the 40 device 46 can use conventional data storage techniques, the 
domain mapping device 46. Thus, domain mapping device highly indexed data store of hypercube storage provides a 
46 acts as a centralizxd data repository of network compact footprint with superior query and update perfor- 
information, such as the device type, operating system, mance characteristics that enhance overall system perfor- 
services, and network vulnerabilities of network devices mance. As depicted by cube 54 the three dimensional 
associated with network domain 12. 45 hypercube storage can associate device -type information. 
Acquisition engine 48 of domain mapping device 46 service information, and vulnerabihty information with each 
enables the acquisition of network information through a dimension of the hypercube. 

number of different methods. One method of acquiring Query engine 52 interfaces the network information with 

network information is active capture of the network infor- network devices through queries made by the network 

mation firom network devices. To perform active capture of 50 devices. For instance, intrusion detection system 18 can 

network information, acquisition engine 48 sends messages query engine 52 to obtain network information, such as 

to one of more network devices to actively query for identification of a device operating system, services and 

network information, including identification of each device vulnerabilities, for a network device, such as file server 34, 

type, and its operating system, services and potential vul- that is protected by intrusion detection system 18. The 

nerabilities. Acquisition engine 48 can also send messages to 5S network information allows intrusion detection system 18 to 

a network vulnerabilities assessment device 44 that performs provide maximum protection of file server 34 or other 

assessments of network devices to determine potential vul- network devices based upon the most current possible data 

nerabilities. The method of acquiring network information avaUable through domain mapping device 46. Query engine 

by active capuire and the operation of network vulnerabili- 52 provides a device configuration for each application 

tics assessment device 44 is described in greater detail in 60 running on the network device. Query engine 52 also 

U.S. patent application Ser. No. 09/107,964, now U.S. Pat. supports classic grammar for data selection, group by, and 

No. 6,324,656, entitled "System and Method for Rules- sort criteria. Thus, intmsion detection system 18 can obtain 

Driven Multi-Phase Network Vulnerability Assessment,** a list of vulnerabilities for a specific network domain that is 

and U.S. patent application Ser. No. 09/222,414, now U.S. grouped by operating system and sorted into descending 

Pat. No. 6^01,668, entitled "Method and System for Adap- 65 order of incidence. 

tive Network Security Using Network Vulnerability Assess- Domain mapping device 46 provides a centralized source 

ment" which are incorporated herein by reference. As shown of network information that greatly reduces data acquisition 
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overhead on the network as well as the time it takes to obtain 
network information. The centralized data storage allows 
access to all types of data for network devices regardless of 
how the data was acquired. For instance, network devices 
that only have passive sampling data capabilities can query 
domain mapping device 46 to obtain data only available via 
active scans. Further, devices that have no data acquisition 
capabilities can obtain all of their information from domain 
mapping device 46. 

FIG. 4 is a flowchart illustrating a method for mapping a 
network domain. The method begins at step 100 which 
involves acquiring network information for one or more 
network devices associated with the network domain. Next, 
at step 102, the method involves storing the network infor- 
mation. Then, at step 104, interfacing the stored network 
information with the network is performed. Proceeding to 
step 106, querying the stored network information with one 
or more of the network devices is performed. 

Although the present invention has been described in 
detail, it should be understood that various changes, substi- 
tutions and alterations can be made thereto without depart- 
ing from the spirit and scope of the invention as defined by 
the appended claims. 

What is claimed is: 

1. A system for mapping a network domain, the system 
comprising: 

plural network devices interfaced with the network, each 

network device having network information; and 
a domain mapping device interfaced with the network, the 

domain mapping device operable to: 

receive and store the network information from one or 
more network devices, 

provide the network information to an intrusion detec- 
tion system upon receiving a query, 

analyze the stored network information, 

generate a network map based on the analysis and the 
stored network information, 

determine a potential vulnerability based on the 
analysis, and 

configure the intrusion detection system based on the 
network map and the potential vulnerability. 

2. The system of claim 1 wherein the domain mapping 
device further comprises an acquisition engine operable to 
acquire network information. 

3. The system of claim 2 wherein the acquisition engine 
acquires network information with active capture of the 
network information from one or more network devices. 

4. The system of claim 2 wherein the acquisition engine 
acquires network information with passive capture of the 
network information from one or more network devices. 

5. The system of claim 2 wherein the acquisition engine 
polls the one or more network devices to acquire network 
information from the one or more network devices. 

6. The system of claim 2 wherein the acquisition engine 
receives network information pushed from one or more 
network devices. 
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7. The system of claim 1 wherein the network information 
comprises vulnerabilities of the one or more network 
devices. 

8. The system of claim 7 wherein the network information 
S further comprises device type, services and operating system 

information of the one or more network devices. 

9. The system of claim 1 wherein the domain mapping 
device further comprises hypercube storage operable to store 
network information. 

10. The system of claim 1 wherein the domain mapping 
device further comprises a query engine operable to respond 
to queries from one or more network devices for network 
information. 

11. A method for mapping a network domain comprising 
the steps of: 

acquiring network information for one or more network 

devices associated with the network domain; 
storing the network information; 

interfacing the stored network information with the net- 
work; 

querying the stored network information with an intrusion 
detection system; 

analyzing the stored network information; 

generating a network map based on the analysis and the 
stored network information; 

determining a potential vulnerability based on the analy- 
sis; and 

configuring the intrusion detection system based on the 
network map and the potential vulnerability. 
30 12. The method of claim 11 wherein the acquiring step 
comprises active capture of rietwork information from one 
or more of the network devices. 

13. The method of claim 11 wherein the acquiring step 
comprises passive capture of network information from one 

35 or more of the network devices. 

14. The method of claim 11 wherein the acquiring step 
comprises polling network devices for network information, 

15. The method of claim 11 wherein the acquiring step 
comprises pushing network information from one or more 

40 network devices for storage on a centralized repository. 

16. The method of claim 11 wherein the network infor- 
mation comprises identification of one or more services 
associated with one or more of the network devices. 

17. The method of claim 11 wherein the network infor- 
45 mation comprises identification of one or more operating 

systems associated with one or more of the network devices. 

18. The method of claim 11 wherein the network infor- 
mation comprises identification of the device type of one or 
more network devices. 

50 19. The method of claim 11 wherein the network infor- 
mation comprises vulnerabilities of one or more of the 
network devices. 

20. The method according to claim 11 wherein the storing 
step comprises hypercube storage of the network informa- 

55 tion. 

4* )t< •«> >l< 
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